I'm reposting my question in Microsoft's monitored forum hoping to get an answer from Microsoft support too. My problem is described there: http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/a63b6d9e-7de3-4c6d-bb58-2b730f2ecbe8 But I'll repost my initial problem: I have Exchange 2010 Sp2 RU3 servers in Windows 2008 R2 domain. I'm using completely split permissions model. In general - AD admins precreate users and exchange admins create mailboxes for them. Everything works great for user mailboxes. But today I've tried to create room mailbox (resource mailbox). I created user in ADUC and disabled this account as this is required step. Then I've tried to create room mailbox and assign this user to new resource mailbox. And I have nice error at creation finish: Summary: 1 item(s). 1 succeeded, 0 failed. Elapsed time: 00:00:00 Completed Warning: The ntSecurityDescriptor of the Active Directory object "xxx/xxx/xxx" wasn't updated successfully. Error: "Active Directory operation failed on msft-dc-01.lbank.msft. This error is not retriable. Additional information: Access is denied. Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 ". Exchange Management Shell command completed: Enable-Mailbox -Identity xxx/xxx/xxx' -Alias '213ppsale' -Database 'DB' -Room Elapsed Time: 00:00:00 I suspect that this problem is because split permissions model I use. DC logs the following error: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 6/1/2012 1:25:45 PM Event ID: 4662 Task Category: Directory Service Access Level: Information Keywords: Audit Failure User: N/A Computer: msft-dc-01.lbank.msft Description: An operation was performed on an object. Subject : Security ID: LBANKMSFT\MSFT-V-MBX-01$ Account Name: MSFT-V-MBX-01$ Account Domain: LBANKMSFT Logon ID: 0x81d6fc0b Object: Object Server: DS Object Type: user Object Name: CN=213 Pirma Posedziu Sale,OU=tarnybiniai vartotojai,DC=lbank,DC=msft Handle ID: 0x0 Operation: Operation Type: Object Access Accesses: WRITE_DAC Access Mask: 0x40000 Properties: --- {bf967aba-0de6-11d0-a285-00aa003049e2} It seems that mailbox server tried to modify user account and fails. So I've tried to set full access right on this disabled account for mailbox server. And then I was able to create resource mailbox without any problems. From that I can assume that when I enabled split permissions model - permissions were set incorrectly. Maybe it was a bug, as I have the same situation on completely different domains (production and testing ones). So how can I correct this problem?

Have you tried disabling the account after creating the mailbox for it?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Dear Ed, It is not possible to create resource mailbox for enabled pre-created account.

I wasn't aware of that but I see that's true. I was able to turn a disabled account into a resource account, though, but I wasn't using any split permissions model, so I don't have an answer for you except that you're going to have to spend whatever cycles it takes to find out where your permissions are missing.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Ed, Can you enable Active directory split permissions model to test this issue?:) setup.com /PrepareAD /ActiveDirectorySplitPermissions:true You'll be able to revert back after all tests. O f cource if you have testing environment. Thanks.

I'll try to look at it sometime, but I can't do it now, sorry. I hope someone else can chime in with their opinion in the meantime.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi Rimvvdas, I have not seen this issue before, I will try to test in my lab, and post the updates. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hi Rimvvdas, I checked in my lab, get the same result. But I think this may not a bug, the warning is because when you create resource mailbox Exchange administrators or groups need to creating security principals in Active Directory or modifying non-Exchange attributes on those objects, you can see these: Some cmdlets, although still available, may offer only limited functionality when used with Active Directory split permissions. This is because they may allow you to configure recipient objects that are in the domain Active Directory partition and Exchange configuration objects that are in the configuration Active Directory partition. They may also allow you to configure Exchange-related attributes on objects stored in the domain partition. Attempts to use the cmdlets to create objects, or modify non-Exchange-related attributes on objects, in the domain partition will result in an error. Know details from this document: Understanding Split Permissions http://technet.microsoft.com/en-us/library/dd638106.aspx To fix these issue, you can try to change the permission for Exchange administrators and groups. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

In the particular issue mailbox server is trying to modify this disabled account. Don't you think that such an issues must be mentioned in some kind of KB articles? Because I don't know now if I can use resource mailbox created with error:/ As you talked about permissions then another question:) What minimal permissions must I grant for exchange servers to be able to modify required account? I'm talking about MINIMAL permissions. Thanks.

Hi, I checked in my other environment, I found Exchange Servers have full control permission on room mailbox, so I suggest you follow this work around to work on this issue: Create one OU for all the resource mailboxes in ADUC Use Delegate control to give Exchange Servers, can "Create, delete, and manage user accounts" Then you will find, use users in that OU to create resource mailbox, will not have that warning. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Evan, I think that "Create, delete, and manage user accounts" permissions are rather big ones. It would be nice to know what MINIMAL permissions are needed.

I think it need that permission, you can check your error information above: Operation: Operation Type: Object Access Accesses: WRITE_DAC WRITE_DAC The right to modify the discretionary access control list (DACL) in the object's security descriptor. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Evan Liu TechNet Community Support

Hello, Any updates on this issue? Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comEvan Liu TechNet Community Support

I think I'll live with this:) But it would be nice to mention this problem in some kind of article.

Maybe this will mention in later updates. Thanks for your understanding. Best Regards, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comEvan Liu TechNet Community Support

I've tried to check once more and it seems that it is enough to set modify permissions right for the server account on the required AD object. But this whole thing seems like a bug in split permissions model of exchage:( Missed thing...

I think this is not a bug, the document has explained clearly: Some cmdlets, although still available, may offer only limited functionality when used with Active Directory split permissions. This is because they may allow you to configure recipient objects that are in the domain Active Directory partition and Exchange configuration objects that are in the configuration Active Directory partition. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comEvan Liu TechNet Community Support

I completely understand your point but I still think that this is omission made by Microsoft:) Room mailbox creation is one of the important and frequently used option and I think that this thing must be fixed. Note, I can create user mailboxes without any single problem using this split permissions model. If it is not possible to fix this, this problem MUST be mentioned somewhere. It could be mailbox creation results window.

Hi Rimvydas, I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thanks, Evan Liu TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comEvan Liu TechNet Community Support